I am using mitmproxy* to redirect web traffic in my automation suite. I usually have to set Access-Control-Allow-Origin headers in the response to hit all of the endpoints correctly.
I have a request I would like to make, but it references another endpoint and I am now receiving a CORS error because I cannot set the headers in that nested response. For some reason that request has my website's origin, but doesn't go through the proxy.
Access to XMLHttpRequest at $ENDPOINT from origin $MY_WEBSITE has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
Is it possible to get around this problem of a nested response, or is this a limitation of mitmproxy?
*I should note I'm using mitmdump, mitmproxy's command line version
The JS error you posted does not indicate a mitmproxy problem to me. As the error states, it seems like you are setting access control headers incorrectly. https://stackoverflow.com/a/19744754/934719 has a succinct explanation.